Master Service Agreement

1. Definitions

  • Services: Penetration testing and related security assessment services as described in the relevant Statement of Work (“SOW”).
  • Deliverables: Reports, attestation letters, and other outputs as detailed in the SOW.
  • Captured Data: Data accessed or discovered by LMN Security during testing, excluding data provided in the ordinary course of the contract.
  • Charges: The fees payable for the Services, as set out in the SOW or Order Form.

2. Structure and Scope

  • This Agreement sets out the overarching terms and conditions for all penetration testing services provided by LMN Security to the Client.
  • Each engagement will be further detailed in a mutually agreed SOW, which will specify the scope, objectives, deliverables, timescales, and fees for the Services.

3. Term and Termination

  • This Agreement shall commence on the Effective Date and continue until terminated by either party in accordance with this section.
  • Either party may terminate this Agreement or any SOW:
    • For convenience, with 30 days’ written notice.
    • For material breach, if not remedied within 30 days of written notice.
    • Immediately if the other party becomes insolvent or unable to pay its debts.
  • Termination of this Agreement shall not affect any accrued rights or obligations.

4. Services and Deliverables

  • LMN Security will provide penetration testing services as described in each SOW, which may include:
    • External and/or internal infrastructure testing (black-box, grey-box, or white-box approaches as agreed).
    • Vulnerability identification, exploitation attempts, and risk assessment.
    • A written report detailing findings, risk prioritisation, and recommended remedial actions.
    • A written attestation letter including an executive summary of the to be shown to stakeholders.
    • LMN Security will only access systems and data within the agreed scope and will not intentionally disrupt Client operations.
  • LMN Security will also provide remediation support and verification services as described in each SOW

5. Client Responsibilities

  • Provide all necessary access, information, and authorisations to enable LMN Security to perform the Services safely and effectively.
  • Ensure that all relevant stakeholders are notified of the testing schedule.
  • Complete any pre-engagement questionnaires or documentation as required for the specific test.
  • Maintain backups and contingency plans for systems in scope.

6. Confidentiality and Data Protection

  • Both parties shall keep all information obtained during the engagement confidential and shall not disclose it to third parties except as required by law or with written consent.
  • LMN Security will comply with the Data Protection Act 2018 and UK GDPR in handling any personal data.
  • Captured Data will be limited to what is necessary to demonstrate vulnerabilities and will be securely deleted or returned upon request.

7. Intellectual Property

  • All intellectual property in methodologies, tools, and know-how used by LMN Security remains the property of LMN Security.
  • The Client is granted a non-exclusive, non-transferable licence to use the Deliverables for internal purposes only.

8. Charges and Payment

  • Charges for Services and payment schedule will be as set out in each SOW.
  • LMN Security reserves the right to suspend Services for late payment.

9. Limitation of Liability

  • LMN Security’s total liability under this Agreement (whether in contract, tort, or otherwise) is limited to the total Charges paid by the Client under the relevant SOW.
  • LMN Security is not liable for indirect, consequential, or special damages, loss of profit, or loss of data, except as required by law.

10. Warranties

  • LMN Security warrants that it will provide the Services with reasonable skill and care.
  • No guarantee is given that all vulnerabilities will be identified or that the Client’s systems will be secure after testing.

12. Guarantees and Refunds

12.1 Service Outage Guarantee

LMN Security takes every reasonable precaution to avoid disruption to the Client’s systems during the course of penetration testing. However, should LMN Security cause an unplanned outage to a server that is critical to other infrastructure—specifically, but not limited to, Active Directory Domain Controllers (AD DC) or medical equipment—LMN Security guarantees a refund of 75% of all charges previously paid by the Client, and the cancellation of all upcoming invoices for the affected engagement with the fulfillment of all agreed upon services.

12.2 Eligibility and Notification

To qualify for a refund under this clause:

  • The outage must be directly attributable to actions taken by LMN Security during the agreed testing window and within the agreed scope of work.
  • The Client must notify LMN Security in writing of the outage, including reasonable details of the impact and affected systems, within 3 business days of the incident.
  • For an outage to qualify, it must either cause disruption to hospital operations or result in a server being unavailable for at least thirty (30) continuous minutes. In the case of medical devices, any denial-of-service—regardless of duration—shall be considered an outage.

12.3 Exclusions

This guarantee does not apply to:

  • Outages resulting from pre-existing system vulnerabilities, misconfigurations, or failures unrelated to LMN Security’s actions.
  • Systems or equipment not explicitly identified in the agreed scope of work or pre-engagement documentation.

13. Acceptance

  • Deliverables will be deemed accepted unless the Client notifies LMN Security of any material non-conformance within 10 business days of delivery.

14. General

  • No third party has the right to enforce any term of this Agreement except as expressly provided.
  • Any variation to this Agreement must be in writing and signed by both parties.
  • By signing the Statement of Work (SOW) the client agrees to the terms outlined in this document.